top of page

Explosion (VIP only)


Enumeration


As usual, let's start with nmap

nmap -sV IP

Replace IP by the IP of the target machine (Explosion)


Note: The IP of our target machine will change all the time, make sure your replace IP in the command below by the target machine's IP. You can find the target's IP directly from your hack the box account.

We can see port 445 is open, which is associated with SMB. We can find 3 shares but our access is denied for each of them.


Let's look into port 3389. Port 3389 is often used for RDP (Remote Desktop Protocol)

We can use a tool called xfreerdp that will allow us to see the target's screen or display.



Foothold


Let's first use the command:

xfreerdp -h

-h for help

Check the line

Usage: xfreerdp [file] [options] [/v:<server>[:port]]


If we ignore [file] and [options] and [port] we end up with the basic command:

xfreerdp /v:10.129.1.13

Press Y and press enter to trust certificate

For the Domain let's try the name of the machine which is Explosion

Now we are prompted for the password. If the service has been misconfigured we may be able to login without a password. Let's try our luck and just press enter.

This failed.


With xfreerdp , if we don't provide a specific username, the service will use our VM username as default.

Let's provide a username this time. For instance, admin OR Administrator OR root OR user.


We will use Administrator.

xfreerdp /v:10.129.1.13 /u:Administrator

We do not know the password so let's just press enter

It works! The service was misconfigured and allowed us to get in with no password!

Click on No

Minimize the Server Manager Dashboard and you should now see the Desktop of the target machine:

On the Desktop, there is a file called flag. Let's open it!

You got the flag! Congratulations!

7,908 views1 comment

Recent Posts

See All

1 Comment

Rated 0 out of 5 stars.
No ratings yet

Add a rating
kamara williams
kamara williams
Jun 02, 2023

I was stack, didn't know that you had to minimize the server manager dashboard to see the flag folder. Thanks very much

Like
bottom of page